The Senate Prepares to Send Internet Privacy Down a Black Hole

Last year the Federal Communications Commission passed a set of strict privacy regulations that ban broadband internet providers from selling your browsing data without your consent. Now, while most Americans are watching Neil Gorsuch’s Supreme Court nomination hearing and Obamacare repeal intrigue, senators could vote as early as today on a resolution to not only reverse the FCC’s action but block the agency from passing similar rules in the future. (The resolution would still need to pass the House and get President Trump’s signature to take effect.)

Even if Republicans spike the Obama-era FCC’s protections, most of which have not taken effect yet, the agency will still have some authority to protect your privacy. But little would stop internet providers from selling your personal data to ad buyers and anyone else hoping to turn a profit by targeting your browsing habits.

Republican lawmakers argue that the FCC’s rules confuse customers because they only cover internet providers and not websites like Google and Facebook. But repealing the them without a new privacy framework in place could create a enforcement vacuum that isn’t good for anyone.

For most of the internet’s existence, protecting users’ privacy has fallen to the Federal Trade Commission. But in 2015, the FCC reclassified internet providers as utility-style “common carriers,” which an appeals court decided the FCC has the sole authority to regulate. With that newfound power, the agency passed stronger rules than the ones enforced by the FTC. If they take effect, broadband providers could not sell your browsing data unless you explicitly opt in. The telco industry hated the order, claiming that it gave the likes of Google and Facebook an unfair advantage. After all, those web giants make billions selling your browsing data by default.

Industry lobbyists even argued that a rule requiring internet providers to provide “reasonable data security” to protect customers’ information from hackers was unreasonable, and new FCC chair Ajit Pai agreed. Earlier this month, he and fellow Republican FCC commissioner Michael O’Rielly voted successfully to suspend the security rules, the first slated to take effect. In a joint statement with acting FTC chair Maureen Ohlhausen, Pai suggested he would soon revisit the rest of the privacy rules as well.

He may not get that chance. Last month, senator Jeff Flake (R-AZ) proposed a resolution to throw out the FCC rules entirely. Flake signed on 23 other Republican senators, including former Republican presidential candidates Ted Cruz, Rand Paul, and Marco Rubio, as co-sponsors.

The resolution takes advantage of the Congressional Review Act, which allows Congress to reverse decisions made by federal agencies and, crucially, ban agencies from passing “substantially similar” rules in the future. “[The FCC’s privacy order] is unnecessary, confusing and adds yet another innovation-stifling regulation to the internet,” Flake told WIRED in a statement last month. “My legislation is the first step toward restoring the FTC’s light-touch, consumer-friendly approach.”

The Worst-Case Scenario

Even if you agree that the FCC’s rules are unfair or confusing, using the Congressional Review Act to reverse them completely at best complicates future privacy enforcement. One problem lies in the phrase “substantially similar.” The act is seldom used, and depending on how courts interpret it, the FCC could end up barred from introducing even the less controversial parts of the privacy order. “The only difference between the FCC rules and the FTC rules is that [the FCC rules] moves web browsing history to the ‘sensitive data’ category,” says Dallas Harris of the consumer advocacy group Public Knowledge. In other words, the FCC could be banned even from passing a less strict set of rules closer to the FTC’s provisions.

That could be a big problem even if the FCC or Congress reverses the common carrier classification that gave the agency the authority to enact its privacy rules in the first place. Most companies that sell internet access also offer telephone service, which are unequivocally common carrier services. And under one interpretation of the appeals court’s ruling last year, that would keep telcos under the FCC’s jurisdiction anyway instead of throwing it back to the FTC. With the FCC hobbled by Congress from passing new privacy rules, neither agency would have the ability to enact meaningful privacy guidelines.

Yes, the FCC still has some authority to regulate privacy under the Communications Act, authority it used when it fined Verizon last year for tracking subscribers’ web browsing without their knowledge. But if the FCC can’t define clear guidance dictating what carriers can and can’t do—or even whether they must take steps to protect customers from hackers—broadband providers and their customers are left guessing.

Critics of the FCC’s rules acknowledge the possibility of this worst-case scenario but call the odds overblown. The rules haven’t taken effect yet, so repealing them doesn’t actually change anything. Plus Congress could always change the rules that prevent the FTC from regulating common carriers, solving the enforcement gap. If all of this sounds confusing, that’s because it is. But one thing is clear: If Trump signs the Senate’s resolution to gut the FCC’s privacy rules, your internet provider will remain free to sell your data to the highest bidder.